Authentication

Hey Vectolet27,

Please be more descriptive when you post. Which authentication page are you trying to bypass.

The authentication which is there is it in JS, PHP, or some other language, etc, etc, etc….

Brute-force is the 100% guaranteed way of getting by the authentication system. Trying all possible combinations is likely to take a lot of time and a dozen of other things are of no less concern. Look up the system that is responsible for the login and audit it or search for known exploits.

Exploiting is better than brute-forcing for sure.

Brute force attacks won’t work on web applications that have a lockout mechanism. I’d try to find out if it is possible to see if you can harvest usernames, than half of your job is done.

Bypassing an authentication mechanism is more to see if the mechanism is vulnerable to SQL-, LDAP- and/or XPATH-injections.

I have also seen mechanisms that store credentials in an XML file (passwords were MD5 hashed) which was accessible without any form of authentication.

[quote=0xDC]Brute force attacks won’t work on web applications that have a lockout mechanism. I’d try to find out if it is possible to see if you can harvest usernames, than half of your job is done.

Bypassing an authentication mechanism is more to see if the mechanism is vulnerable to SQL-, LDAP- and/or XPATH-injections.

I have also seen mechanisms that store credentials in an XML file (passwords were MD5 hashed) which was accessible without any form of authentication.[/quote]

Nobody is speaking in-depth of anything. Since if we are to get into that, OP would not get anything out of it. He is just seeking ways of bypassing the authentication. But since you’ve already mentioned it I’m gonna burden him a bit. I don’t know if you layout all your experience over HackThis (since SQL,LDAP and XPath have all been mentioned the past weeklol) but for the best I hope not. So as a matter of fact, if we consider your “lockout mechanism” you should be aware that there is this OSI model you know and eavesdropping over a certain protocol would be quite futile - in other words if one wants to crack into the login system via brute-forcing there could be tons of different implementations for that to happen. Take an example with the simplest. If I were to brute-force something, I’d do it over TCP with a low TTL and an entire network of spoofed protocol sources. In addition to that I could apply polymorphism for the separate requests so as not to get them traced or related in between themselves. And who says SQL, LDAP and XPath are the only ways of validating user input lol? Just because kids mention them here doesn’t mean a thing. All the tricks that can be done with the meta http-equiv, xfs, deserialization of input data, xsl inclusions, ssi injection, webdav and so on and so forth - thing is list goes forever.

Or if there’s a network IDS sensor on the semi-private DMZ you can perform all kinds of anomaly detection through the IDS and evade the traffic by altering the flow and not match the signature. This may involve using a different protocol such as UDP instead of TCP or HTTP instead of ICMP to deliver an attack. Additionally, a hacker can break an attack up into several smaller packets to pass through an IDS but, when reassembled at the receiving station, will result in a compromise of the system. This is known as session splicing, for instance. Not to mention of IPS and such. Topic is endless and my first post was to give OP a bit of an insight and not to express anything professionally.

Nobody asked to write something in depth. Am I annoying you Keeper?

No, that isn’t anything related with irritation. People often get me wrong due to my excessive passion sometimes. But either ways, OP will have some food for thoughts now.

server Microsoft-IIS/6.0
x-aspnet-version 2.0.50727
x-powered-by ASP.NET

[quote=author]No, that isn’t anything related with irritation. People often get me wrong due to my excessive passion sometimes.[/quote]

Keeper, it could be just me, but i get the feeling you hate someone to say you are wrong or what you have is partial, thats what i get from the way you responded in few posts.

this feeling could be wrong or could be right, the thing that matters after all is that we all learn something, its not about who is wrong or who is right, unless its me who is right :P

Adiga: It’s not just you…. I have the same impression. This is actually one of the reasons I’ve been quiet on the forum and IRC lately.

Because of people like this I feel like I should not waste my time in these kind of discussions, especially after being called a kid.

I’m a security consultant that gets hired by governments, insurance companies and large international banks, so much for being a kid.

As far as the part “we should all learn something, it’s not about who is wrong or right”, yes that was my first impression about this site too. Too bad certain people can fuck this up…..

Cheers!

Excuse me..

[quote=0xDC]I’m a security consultant that gets hired by governments, insurance companies and large international banks, so much for being a kid.[/quote]

Apart from everything else, let’s just clear this one up. To be honest, you just talk random stuff all over the forum and your avatar is a guy with a dark sweatshirt which is really the one every wannabe uses on the interwebs today. You dick around a “hacking forum” like this one and you argue over senseless conversations like this one yet you claim to be what? I think people with somewhat decent attitude can make their own conclusions as of this quote above.

OMG There is a war going on over here. Interesting…..

Nah, there’s no war going on here and it sure as hell is not interesting. Please close this topic so we can move on….

Yes, not interesting but funny. Funny as to how you assign yourself as a “security consultant that is being hired by governments and banks”.. That really made me cry for real but yeah better someone close the thread before you got even more humiliated.

Keeper what is wrong with you?
wither he is what he says or not, what does this has to do with you?

or is it because you got criticised and you have no way of defending your self, you have decided to do a counter attack hoping ppl will forget what the original talks about you where!

All we are saying… is give peace a chanccccceeeee!!! Sssoooooo…. How can I hack FB guys?

By the way… My avatar is better than yours (except for adiga).

Peace.

@DaGr8Kornolio: Want a piece of meeeee, dude? B)

@freewind1012: You don’t know who you are messing with man… Be polite if you don’t want to feel the wrath of a master hacker cracker funnier rapper!

I’LL CTRL-ALT-DELETE YOU!!!

Is that soooooo? You can try to do that, or I will CAPS LOCK YOU TO DEATHHHHHHHHHHH!!!!!!!!!

Btw, I must be new here. You have already had 265 posts so you must be old. How about adding friend then we can troll each other till the end?

I’m still young enough to make you regret your insolence young boy!

Now you want to be friend?!? Because you know you can’t afford to become my enemy!!!

But it’s okay……. Wanna go to do some shopping?

P.S. Sorry guys to interrupt all this anger and hate with these messages of LOVE… But hey, I’m sure I missed you… See you around guys!

[quote=Keeper]Yes, not interesting but funny. Funny as to how you assign yourself as a “security consultant that is being hired by governments and banks”.. That really made me cry for real but yeah better someone close the thread before you got even more humiliated.[/quote]

Your reaction tells me that you can not handle criticism, which tells me something about your age. Now the question is, who humiliated who?!

[quote=author]Apart from everything else, let’s just clear this one up. To be honest, you just talk random stuff all over the forum and your avatar is a guy with a dark sweatshirt which is really the one every wannabe uses on the interwebs today. You dick around a “hacking forum” like this one and you argue over senseless conversations like this one yet you claim to be what? I think people with somewhat decent attitude can make their own conclusions as of this quote above. [/quote]

You really are annoying Keeper…
what you talk about is nonesence, we are all here to learn, even you!
and you start blabbing on about how an avatar is when yours clearly confuses me, what should he do other than “dick around” helping others on this site as good as he can?
talking about kids and such wont make you older or bigger.
to me i get the feeling 0xDC is 10 years older than you.
So should we drop this now and agree on never to act up like this again as it clearly wont work, the community should thrive and not be annoyed by “kids” using the term you so dearly like.

Peace - Th3FjonG <3

In the interets of my pure curiousity, @Keeper , how did you happen upon all that information?

[quote=ADIGA]Keeper what is wrong with you?
wither he is what he says or not, what does this has to do with you?

or is it because you got criticised and you have no way of defending your self, you have decided to do a counter attack hoping ppl will forget what the original talks about you where![/quote]

Let me remind you that it wasn’t me who escaped the topic of the thread and jumped to conclusions about IRL classifications and so on. I did nothing else but provide OP with food for thoughts which I think would do him great good in future. How he perceives my answer, on the other hand, is something completely different.

[quote=0xDC]Your reaction tells me that you can not handle criticism, which tells me something about your age. Now the question is, who humiliated who?![/quote]

I didn’t manage to find any criticism? You were the one that got annoyed because I replied with a bit of solid answer so I don’t get what criticism you’re talking about. I never consider any of your words as such.

[quote=th3fjonG]You really are annoying Keeper…
what you talk about is nonesence, we are all here to learn, even you!
[/quote]

Have I said anything to contradict that?

[quote=th3fjonG]..and you start blabbing on about how an avatar is when yours clearly confuses me, what should he do other than “dick around” helping others on this site as good as he can? Talking about kids and such wont make you older or bigger. To me i get the feeling 0xDC is 10 years older than you.
[/quote]

I said that he has a 0% chance of being the one he’s pretending to be judging from his comments and attitude. Everything else that I did not comment above is what I consider off-topic and completely straying away from the main talk.

Keeper,
when your done
[quote=<><>r]quoting[/quote].

please think of how members think about the way you act.
i know you should not care, that is if you really care, but since you are here to learn something new or to spread out what you know and help others …

the way you act does not help with any of those …
just take it easy and simple, do not flame because someone said you are wrong, nor because he said he did not like you, you should not fucking care for that.

if you do not like what you read, just ignore it (but not this post please).

even though im one of the oldest members in here and in some other places, fucktards do sometimes say things that are offensive for me, yet they can suck it …. i do not care, so should you.

and do not go “you do not care yet you are posting here”, cause from what i read, i know you have good things to share, so do not fucking waste our time and bandwidth with acting like god and be more humane.

everyone is prone to error, everyone has negative points that needs to be changed (my spelling as one in me).

if you have the urge to go flame people, at least try to get it somewhat logical and/or polite.

even though i fucking hate the way you act, the way your posts sound like …
i have not even once before said anything that would suggest you are an idiot or a retard or a wannabe.

can you manage doing the same with the other members?

Is there any point at all to reply to anything? Whatever I say is being ignored and everyone speaks of his own attitude and opinion.

Keeper,

It really does not matter who is wrong or who is right as long as we all learn something …
not all, maybe some will learn something.
now some of us like you have info they want to share, some like me want to learn.
some want the points, some want the power and the list go on.

what really matters that at the end of the day you know you helped someone and/or made a good impression for someone.
because that is what lasts.

i was your age not that long ago, if you want to have sex, use condom … Just kidding, Do not use it.

the point is the members here (some of them) do not feel comfort while being around you because of the way you react/talk.

now you have every right to sound the way you like, but also keep in mind others will have the right to flame you too.

and if we all started flaming each other like the fucktards we are now … we lose bandwidth ….
i hate to waste my bandwidth :(

1. All I wanted is to provide OP with a decent amount of information
2. [quote=Keeper]No, that isn’t anything related with irritation. People often get me wrong due to my excessive passion sometimes. But either ways, OP will have some food for thoughts now.[/quote]
3. I’m in no way acting superior (Godlike).
4. It wasn’t me who strayed away from the topic in the first place.
5. How members comprehend my behavior is not my problem. I won’t be losing time explaining to everyone what my attitude really is since you’re all considering me for someone else (that isn’t able to handle criticism). Well no. I’m not that one. Refer to point 2 if you may.

-.-‘
never mind

GUYS! You’re missing the most important point here!!!

HOW THE HELL DO I BYPASS AUTHENTICATION PAGE?

What page… :-)

So, I asked the guy nicely where he got his knowledge, and he doesn’t reply… Keeper says “Whatever I say is being ignored” yet i’m asking…

loltac, just drop it.

if i was trying to help or share something (regardless what my method is like), and then my help turned into some kind of debate on me being some ass ill be pissed.

if he notices your post he will answer, just give the guy a break.

the thing all started from nothing and can end to nothing.

Yeah, sorry I was kinda distracted by the rest of the talk and omitted your question. Well honestly I aim to learn new stuff every day and since my future studying and job will be involving computers and moreover online security, I started off with the basic methods and stuff some 2 years ago. Mainly from public boards like Hackforums where I reside most of the time, IRC channels, private groups and so on.

Critical Security had a nice forum sometime ago, not sure if they do now.